Headline
CVE-2021-20292: DRM Memory Management Double Free Privilege Escalation Vulnerability
There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
Description Dhananjay Arunesh 2021-03-16 19:50:26 UTC
There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
This has been already addressed in the upstream commit 5de5b6ecf97a021f29403aa272cb4e03318ef586
Note: Kernel with CONFIG_SLAB_FREELIST_HARDENED=y option enabled should not be affected with this flaw.
Comment 1 Dhananjay Arunesh 2021-03-16 19:51:06 UTC
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1939687]
Comment 2 Justin M. Forbes 2021-03-17 16:16:23 UTC
Not really much to go on here, no CVE, no upstream reference?
Comment 4 Justin M. Forbes 2021-03-22 22:43:24 UTC
So a CVE was gotten, but there are still absolutely no details here. Where in DRM? Is there an upstream patch, or even any upstream discussion?
Comment 13 Rohit Keshri 2021-03-24 05:37:55 UTC
Mitigation:
Mitigation for this issue is either not available or the currently available options don’t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 14 Justin M. Forbes 2021-04-13 16:11:10 UTC
This was fixed for Fedora with the 5.7.16 stable kernel updates.
Comment 26 Dave Airlie 2021-06-09 19:29:39 UTC
this analysis is bogus and makes no sense, where did someone get the idea for this fixing a double free in nouveau. the code before and after the patch is correct and operates the same.
Comment 28 Rohit Keshri 2021-06-24 07:25:01 UTC
Hi David, I got a chance to revisit the flaw, where Greg said exploiting this flaw need fault injection enabled (https://seclists.org/oss-sec/2020/q3/127), which is not enabled in any version of RHEL, so marking RHEL not affected.